Author: ZeroBreak (zerobreak@softhome.net) Published: 02.05.02 Released: 02.08.02 Software: Sybex E-Trainer Prelude: Sybex E-Trainer's are computer based training courses. They run through a web interface using your web browser. When you launch the course, it loads it's own web server and launch's your default web browser that connects to you locally on the default http server port, 80. When you close your browser the web server also shut's down. Vulnerability: The vulnerability that takes place is the infamous ".." directory traversal. With a specially crafted request to the web server you can view any file on the target's computer under the logged in users permissions. The request is in the format of: http://target/netget?sid=user&msg=300&file=/../../../filename.ext The web server is only running when a user runs the e-trainer course. When the user closes the browser the web server also shuts down. However if the user opens the e-trainer and uses the same browser window to start browsing other websites, the web server will stay open. This could cause the vulnerable server to be running for an even longer period of time. It should also be noted that this web server has not logging features and it is open to any connection requests. Not just from the local host. Exploit: You got a web browser don't you? Fix: I shot an email to Sybex on the 5th, but haven’t gotten a response back. Although my email provider has been having trouble lately. Conclusion: This is not a huge vulnerability, but it depends how you look at it. It can easily take an otherwise secured system and leave it wide open for intruders. Leaking sensitive or potentially confidential information.
